> CA operators MUST apply to Mozilla for inclusion of their next generation > root certificate at least 2 years before the distrust date of the CA > certificate they wish to replace.
Hi Ben. I would interpret that sentence to mean that if a CA operator misses the "at least 2 years" deadline then they are forever forbidden from submitting a next generation root certificate for inclusion in Mozilla's root store. Is that the intent? I think CAs should certainly be encouraged to submit next gen roots in a timely fashion, and I think Mozilla shouldn't feel obliged to grant extensions on to-be-replaced root removals in order to support CAs that fail to do this "at least 2 years" in advance. However, I think "forever forbidden" is unnecessarily harsh! So I suggest changing "MUST" to "SHOULD". ________________________________ From: [email protected] <[email protected]> on behalf of Ben Wilson <[email protected]> Sent: 26 July 2023 16:42 To: [email protected] <[email protected]> Subject: MRSP 2.9: Issue#232: Root CA Lifecycles CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. All, We previously announced this change in policy over a year ago, and will be finalizing it in Version 2.9 of the Mozilla Root Store Policy (MRSP). Please review this addition, and let us know if you have any final comments. ----- Begin MRSP Revision ----- 7.4 Root CA Lifecycles For a root CA certificate trusted for server authentication, Mozilla will remove the websites trust bit when the CA key material is more than 15 years old. For a root CA certificate trusted for secure email, Mozilla will set the "Distrust for S/MIME After Date" for the CA certificate to 18 years from the CA key material generation date. The CA key material generation date SHALL be determined by reference to the auditor-witnessed key generation ceremony report. If the CA operator cannot provide the key generation ceremony report for a root CA certificate created before July 1, 2012, then Mozilla will use the “Valid From” date in the root CA certificate to establish the key material generation date. For transition purposes, root CA certificates in the Mozilla root store will be distrusted according to the schedule located at https://wiki.mozilla.org/CA/Root_CA_Lifecycles, which is subject to change if underlying algorithms become more susceptible to cryptanalytic attack or if other circumstances arise that make this schedule obsolete. CA operators MUST apply to Mozilla for inclusion of their next generation root certificate at least 2 years before the distrust date of the CA certificate they wish to replace. ----- End MRSP Revision ----- Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabwQ0tiADoo-YNvCSuu3dAxTJOjSKnUbWb6NQasoejQKg%40mail.gmail.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabwQ0tiADoo-YNvCSuu3dAxTJOjSKnUbWb6NQasoejQKg%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729665D56F1CFBBEABF4D6FAA00A%40MW4PR17MB4729.namprd17.prod.outlook.com.
